We have solved an issue very similar to this and is probably this issue. What happens is that there's a default attribute repository cache that basically stores the username's hashCode (the username is in like a list with one value or something like that and then it calls the hashCode() method on it) as a key https://github.com/apereo/person-directory/blob/2e1439bf804a2b93019b8e5846837fe2628abbd7/person-directory-impl/src/main/java/org/apereo/services/persondir/support/AttributeBasedCacheKeyGenerator.java#L326 . The method .hashCode does NOT guarantee unique values out of it. In fact similar string have a higher probability of having the same hashCode but this still can effect ones that are fairly different. To know if this is your issue, take the username of both inidividuals and run a test java program that calls the default .hashCode method on them and see if they have the same value. The solution that was found was to turn the cache off
cas.authn.attribute-repository.expiration-time=0 cas.authn.attribute-repository.expiration-time-unit=MINUTES On Tuesday, October 13, 2020 at 11:51:02 AM UTC-6 [email protected] wrote: > That didn't solve it. > > But I found one customization: one line groovy script for fixing the > username for google. > > I replaced it by another attribute provider. > > On Friday, October 9, 2020 at 9:53:42 AM UTC-3 Danilo Mendes wrote: > >> Thank you for your responses. >> >> It only customized the login form adding some warnings about usage. >> >> It doesnt have a proxy, or cache... At the beginning we had a load >> balancer (haproxy) serving a CAS cluster, but, mitigating this issue, I >> removed it for simplifying the installation and because it has an open >> issue that I thought it might be related ( >> https://github.com/haproxy/haproxy/issues/583). Since then I have only >> one CAS working directly and the problem persists. >> >> After Richard's reply I extended my investigation to the LDAP server and >> found that the node I was using was very old and unmaintained 389-ds. Then >> I switched the config to a new one. >> >> Since that I have few hours without incidents. I hope it keeps like that. >> >> On Friday, October 9, 2020 at 8:33:35 AM UTC-3 [email protected] >> wrote: >> >>> >>> >>> There’s not a caching proxy in front of your application is there? If so >>> make sure caching is switched off, we’ve seen something similar and the >>> cache was the problem. >>> >>> >>> >>> Duncan >>> >>> >>> >>> *From:* 'Richard Frovarp' via CAS Community <[email protected]> >>> *Sent:* 08 October 2020 19:04 >>> *To:* [email protected] >>> *Subject:* Re: [cas-user] Wrong user authenticated >>> >>> >>> >>> Probably not? That sounds like code that is being hit somewhere that >>> isn't thread safe. The built in LDAP code to CAS should be just fine with >>> that respect. Assuming you're using a well supported LDAP server that >>> wouldn't have thread issues? I don't know how a HTTP proxy would impact >>> this. I guess the question is, do you have any custom code anywhere in the >>> network or login flow? >>> >>> >>> >>> On Thu, 2020-10-08 at 14:59 -0300, Danilo Mendes wrote: >>> >>> My server is hosted on a vmware4 server and I`ve followed a lead about >>> entropy and noted that /dev/random dont play well with VMs. >>> >>> >>> >>> Do any of you think it could be related? >>> >>> >>> -- >>> >>> Danilo Mendes >>> >>> >>> >>> >>> >>> On Tue, Oct 6, 2020 at 11:06 AM Danilo Mendes <[email protected]> wrote: >>> >>> Hello, >>> >>> >>> >>> I have a 6.1.7.1 installation authenticating gsuite apps against a LDAP >>> directory. It`s configured using standalone profile. >>> >>> >>> >>> Most of the time it works OK, but sometimes when two users tries to >>> authenticate at the same time it sends wrong responses and User A opens >>> User B account. >>> >>> >>> >>> Can you o help me debugging? Or to point a direction I can follow? >>> >>> >>> >>> Thank you. >>> >>> >>> >>> >>> >>> -- >>> - Website: *MailScanner has detected a possible fraud attempt from >>> "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://apereo.github.io/cas >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395833552&sdata=gv9iY1GuiNK2xD3Kw5MoalQfp7Jn4R2QyGA0Hzu3%2F7s%3D&reserved=0> >>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://gitter.im/apereo/cas >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=IhZb3tCKi2nNjYhq8t7mvm4A1qgVmBEaHsFkiRcks2Q%3D&reserved=0> >>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://goo.gl/1VRrw7 >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=ZYWViAnDEovOpZSNb7HpXoOKSZbE9HTGY9geOosDKks%3D&reserved=0> >>> - Contributions: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://goo.gl/mh7qDG >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=0Lhx3yQCAPcQX%2FywERDk3Anp%2FmFSo%2BAVNWUYelB7slo%3D&reserved=0> >>> >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit *MailScanner has detected a >>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>> claiming to be* >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c03472f2-56d5-4357-9af6-94f4f045728fn%40apereo.org >>> >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2Fc03472f2-56d5-4357-9af6-94f4f045728fn%2540apereo.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=gGL%2FnvjuCI3Yigr5AJ46WUZLq2o%2FqhShe3sBMiMExIk%3D&reserved=0> >>> . >>> >>> -- >>> - Website: *MailScanner has detected a possible fraud attempt from >>> "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://apereo.github.io/cas >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=%2Fxh1VxJSveY43EaRqmYEFY6HeJGRqf3ksKPO3SzVhWQ%3D&reserved=0> >>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://gitter.im/apereo/cas >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=rKPdXvkPIyUeh0MzxjATyVN0aIRbkOSp%2BO0lO4tfh2k%3D&reserved=0> >>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://goo.gl/1VRrw7 >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=VtK3jn%2B9advdjmkfUQCiwZjUQNpgX0hgtLaV7bpVyyk%3D&reserved=0> >>> - Contributions: *MailScanner has detected a possible fraud attempt >>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>> https://goo.gl/mh7qDG >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=xIKZR%2F9fioPv0ubk1t7gsjeyqbSAyw01MPvn80%2B4rt8%3D&reserved=0> >>> >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit *MailScanner has detected a >>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>> claiming to be* >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/92192eff7187568875d6f6e91a2d5072a6de937b.camel%40ndsu.edu >>> >>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2F92192eff7187568875d6f6e91a2d5072a6de937b.camel%2540ndsu.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395873383&sdata=cOKa224dsbfpCTXMKxCX3M%2FzFofIJzAuq2s%2F3cnzcvA%3D&reserved=0> >>> . >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb4031db-161d-4fe8-b5bb-67185018c1ben%40apereo.org.
